Tau is still early-stage software, but security issues are important. Please report suspected vulnerabilities through GitHub private vulnerability reporting for dpc/tau (https://github.com/dpc/tau/security/advisories/new) when available. If that path is unavailable, contact the maintainer privately first and avoid filing a public issue with exploit details.

The harness treats extensions as less-trusted peers connected over the Tau protocol. For extension-owned persistent data, the harness confines paths to per-extension state roots, rejects path traversal and symlink escapes, uses private file and directory permissions where supported, and enforces per-file and per-directory-list quotas. Quota failures are returned to extensions as quota_exceeded extension-data errors.

These quotas bound individual file writes, file reads, and directory listing work performed by the harness. They do not bound aggregate per-extension disk usage across many files, sandbox arbitrary extension code, or prevent protocol payloads from being deserialized before the harness validates an operation. Run only extensions you trust to execute on your machine.

extensions.<name>.require: false is only a degraded-startup availability policy for trusted local extensions. It lets Tau continue without that extension when startup/config/secret/pre-Ready setup fails; it is not a sandbox and does not broadly change post-Ready respawn/runtime semantics. Optional skips must still be surfaced as Important replayable harness diagnostics and must never hide extension config errors or leak secret values.

Per-agent metadata (agent.metadata_set / agent.metadata_unset) is durable, extension-visible, and interceptable by privileged local interceptors. It is a coordination mechanism, not a secret store: do not put API keys, tokens, private message contents, or other confidential data in metadata. Key ownership is by convention (for example ext_<extension-instance>_cwd); trusted extensions, UIs, and interceptors that can emit protocol events can attempt to write any metadata key subject to harness validation.

std-shell / tau-ext-shell is Tau's local filesystem and subprocess boundary. Its tools can read local files, mutate files, and execute host commands with the user's permissions. Treat shell commands, user ! commands, and model-requested filesystem writes as local code/data access rather than sandboxed operations.

Read-only shell mode is a defense-in-depth feature. Native filesystem isolation is enforced only when supported and enabled by enforce_ro_mode; otherwise mode: ro can degrade to ordinary command execution and must not be treated as a hard sandbox. Directory update locks are advisory coordination between Tau agents and ext-shell tools, not an operating-system access-control boundary. They do not prevent commands from writing outside their locked working directory or other local processes from changing files. The shell extension remembers each agent's current cwd in durable metadata (ext_<extension-instance>_cwd); that value is visible to extensions and should be treated as non-secret path context.

Skills are prompt instructions loaded from local/project Markdown files, not a sandbox or permission boundary. Project skills can be malicious prompt content. disable-model-invocation hides a skill from Tau's model-visible skill surfaces, but a model with filesystem tools could still read the underlying file if it learns the path. allowed-tools and similar frontmatter fields do not grant or restrict Tau tool permissions.

User /skill invocation explicitly reads the selected skill file, strips frontmatter, and injects the skill body into the next model prompt along with any user arguments. Treat invoking a skill as intentionally adding that local file content to the conversation context.

std-telegram / tau-ext-telegram is disabled by default because it bridges untrusted external Telegram text into Tau prompts. When enabled, it requires an explicit bot-token secret and non-empty allowlist of Telegram user ids. The model cannot provide arbitrary chat ids: outgoing messages use only the configured chat or an allowlisted user's linked private chat. Unconfigured group/supergroup chats are refused, and configured groups should be treated as shared output channels visible to everyone in that chat. Runtime registrations, selected agents, learned chat id, and update offsets are in-memory only. Avoid logs that include bot tokens, Bot API URLs, or unexpected private Telegram content.

std-rhai / tau-ext-rhai scripts are trusted local code. A Rhai script can register agent-invokable tools, handle model-originated tool calls, emit raw Tau events, and execute host shell commands directly through the Rhai extension. These shell commands intentionally do not route through tau-ext-shell and do not participate in ext-shell directory-update locks; only enable scripts you would be comfortable running as local programs.

Interceptors are privileged local extensions. They can see, modify, or drop most events they subscribe to before those events commit. Must-pass and immutable checks protect selected harness-owned facts from integrity loss, but they are not confidentiality boundaries: do not expose sensitive event streams to interceptors you do not trust.

The terminal UI executes trusted local configuration and environment-derived commands, including key-binding shell snippets, completion commands, $EDITOR, and $VISUAL. Treat cli.yaml, inherited environment variables, and PATH as local code execution inputs rather than untrusted data.

Prompt completion may read the local filesystem and query git for tracked and unignored files. These operations should stay bounded and best-effort: failures or quota/size limits should disable the completion source or surface a local notice, not wedge the prompt.

Raw terminal mode is a process-local ownership boundary. Before spawning editors or pickers, Tau must pause redraws, release raw-mode features, and always clear that paused state when setup or resume fails so the UI cannot remain permanently muted. Abort paths for terminal-releasing shell actions should terminate the owned process group before Tau resumes raw-mode/redraw ownership. Redraw and input coordination assumes a single foreground reader thread; background renderer threads must not write while the terminal is released to an external program.

Transcript Markdown-lite formatting is a presentation-only terminal UI feature. It must not change protocol events, persisted logs, model context, or non-UI clients, and it must produce only Tau styled text spans rather than raw terminal escape sequences. Keep its scope narrow to submitted user prompts, assistant responses, and thinking text; do not accidentally run it over tool output, shell output, or other machine-generated blocks where styling could obscure exact results. Markdown table padding is also display-only: it may add spacing around cell contents for readability, but must preserve the cell text, avoid code contexts, and keep bounded output amplification.

When reporting a vulnerability, include:

• affected Tau version or commit;
• operating system and relevant configuration;
• minimal reproduction steps;
• whether an extension, provider, UI client, or daemon boundary is involved;
• any logs that do not contain secrets.

Avoid sharing API keys, OAuth tokens, email contents, or other private data in reports.